Windows 2008 Event Log Servers detected by NSX as Win2K3 when added using GUI
search cancel

Windows 2008 Event Log Servers detected by NSX as Win2K3 when added using GUI

book

Article ID: 317727

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
While setting up Event Log Scraping for Identity Firewall, you try to add a Windows 2008 Event Log Server from GUI. The Win2K8 server is detected by NSX as Win2K3.



Log scraping does not work. NSX is unable to capture the login events forwarded by the affected event log servers. Therefore, Identity Firewall does not work as needed.

Cause

When adding the event log server using UI, the code does not fetch the server type as it should. However, the API call to perform the same functionality fetches it correctly.

Resolution

This issue is resolved in VMware NSX Data Center for vSphere 6.4.7, available at VMware Downloads .

Workaround:
Delete the event log server and then re-add it via API as below. 

POST /api/1.0/directory/updateEventLogServer

Request Body:

<EventlogServer>
    <domainId>1</domainId>
    <hostName>eventlog_server_1.abc.com</hostName>
    <enabled>true</enabled>
</EventlogServer>

(You can retrieve the domain id used above from GET /api/1.0/directory/listDomains.)

The API response should correctly show WIN2K8 in serverType, and you can also confirm it is WIN2K8 in GUI.

Additional Information

NSX Manager logs (vsm.log) show that it's incorrectly treating the server as Windows 2003 when added from GUI.

2019-09-09 12:45:34.828 AST  INFO http-nio-127.0.0.1-7441-exec-20 DirectoryModificationObserver:158 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Event log server saved, event log server id: 31
2019-09-09 12:45:34.829 AST  INFO taskExecutor-12 RestartEventLogReaderEventLogServerListener:36 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] EventLogServer with id: 31 saved, restart event log reader.
2019-09-09 12:45:34.832 AST  INFO taskExecutor-12 EventLogComponent:183 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Restarting event log reader for event log server EventLogServer[id=31,hostname=eventlog_server_1.abc.com]
2019-09-09 12:45:34.834 AST  INFO taskExecutor-12 WinEventLogCIFSReader:75 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] CIFS reader for eventlog_server_1.abc.com is starting...
2019-09-09 12:45:34.842 AST  INFO taskExecutor-12 EventLogContext:87 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] Widnows 2003 Server event log context for server eventlog_server_1.abc.com started.

Powered by Wolken Software